GDPR

What personal data of third parties is processed by IO?

Mainly only names, emails and telephone numbers of individuals, located worldwide and providing this data to IO customers via their websites, which provide this data to IO.

What is the purpose of the processing?

IO processes and conducts web-analytics regarding data subjects’ personal data provided by IO customers. IO runs analytics about the provided data and provides its customers with a report of same.

Only in individual cases, personal data may be included within the data provided by IO customers to IO to conduct such analysis. If so, the scope of personal data being processed while doing the analysis is app. only 1 % of the overall data provided to IO.

What are the processing activities?

The main processing activities conducted by IO with regard to personal data of third parties are the following:

  • collecting;
  • tracking;
  • structuring;
  • storing;
  • retrieving;
  • using; and
  • erasing.

Personal data of third parties, if provided by IO customers, is not changed during the processing activities of IO.

Who from IO has access to processed personal data?

IO tries everything to minimize the processing of personal data. In this regard, IO has implemented organizational and technical security measures which allow only a minimum necessary number of IO employees to process personal data of third parties.

After the successful implementation of a GDPR compliance system, only 2-3 Employees in the Kyiv office of IO have access to the personal data of third parties.

Where is personal data processed?

Data provided by IO customers is processed with systems only located in Germany and the Netherlands. The web analysis of IO is conducted only via these servers.

Access to the final customer reports is possible for a very limited number of IO Employees in Ukraine and for IO customers worldwide.

Is the personal data being processed by individuals?

No, usually all processing activities are conducted automatically by IO scripts and only on servers located in Germany and the Netherlands.

Only in rare cases of script problems (e.g., bugs), IO Employees might need to take a look at ad hoc final reports, and need to access the servers to solve technical problems. In these cases, such employees might review also personal data included in the reports.

What are the technical security measures for personal data protection?

IO already has implemented best practices on IT level standards to protect data in general, and personal data in particular.

IO also is conducting several IT security tests in order to audit and evaluate potential security issues on a regular level.

IO has in place sophisticated and adequate security measures, both on organizational and technical side to protect personal data, to be compliant with the requirements of the GDPR (European General Data Protection Regulation).

What are the organizational security measures for personal data protection?

IO has in place sophisticated and adequate security measures, both on organizational and technical side to protect personal data, to be compliant with the requirements of the GDPR (European General Data Protection Regulation).

Based on this, IO has, e.g., among others, the following organizational security measures in place:

  • a Data Protection Officer;
  • an EU Representative;
  • established personal data protection system (policies, trainings for employees);
  • personal data protection contractual clauses with business partners and customers;
  • a safeguard system and structure for all personal data which is transferred from the EEA to recipients outside the EEA; and
  • confidentiality contracts with IO employees.

Who are the recipients of processed personal data?

The recipients are IO customers only.

Is personal data transferred outside the EEA?

A transfer from IO servers inside the EEA to recipients outside the EEA is possible, when IO customers are located outside the EEA, and when they access IO reports, in rare cases, also including personal data.

For these purposes, IO concludes contracts and has in place other safeguarding measures to protect the transfer from its servers in the EEA outside the EEA. The safeguard measures are in line and in compliance with the GDPR requirements.

What is the legal basis for processing personal data?

The legal basis for all processing actions is a contract between IO and its customers.

IO customers provide IO with data of their own clients. IO has contractual clauses with its business partners in place that foresee the compliance with the GDPR.

IO completely fulfills its obligations, existing under the GDPR.

Can I withdraw my consent?

Yes. Every data subject has the right to withdraw its consent. This withdrawal of consent needs to be filed with the controller of the personal data. As to personal data of EU citizens, IO only acts as a data processor. But IO can support the data subject to forward this request to the responsible data controller.

Can I access my personal data?

Yes. Every data subject has the right to access its personal data. This request needs to be filed with the controller of the personal data. As to personal data of EU citizens, IO only acts as a data processor. But IO can support the data subject to forward this request to the responsible data controller.

Can you erase my personal data?

Yes. Every data subject has the right to request the erasure of its personal data. This request needs to be filed with the controller of the personal data. As to personal data of EU citizens, IO only acts as a data processor. But IO can support the data subject to forward this request to the responsible data controller.

What are the time limits for storing personal data?

IO stores personal data of EU citizens in connection with the contractual obligations it has towards its customers. This can differ on a case to case basis. Nevertheless, IO is fulfilling the principle of data minimization and its obligations under the GDPR also with regard to data storage.

What are the categories of data subjects?

Data subjects whose personal data is processed by IO is limited to users of websites of IO customers.

Does IO process children’s personal data?

IO does not actively collect information about the age of data subjects. IO is also not responsible for the website construction of the customer’s website. However, if IO understand that it processes personal data of children, special data protection measures are in place.

Does automated processing significantly affect data subjects’ rights?

No. Automated processing does not lead to automated decision-making, and it does not have significant impact on data subjects’ rights, as personal data is only used for analytical reports for IO customers.

Who are the data controllers?

The controllers of the personal data are the IO customers.

Is any sensitive personal data or data regarding criminal convictions processed by IO?

No.


Contacts

EU Representative:
Mr. Sven Henniger
sven.henniger@onthe.io

Vienna, Austria

loading are you ready?